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Abstract. In a previous work, we proved that an important part of the Calculus of Inductive Con- 
structions (CIC), the basis of the Coq proof assistant, can be seen as a Calculus of Algebraic Con- 
structions (CAC), an extension of the Calculus of Constructions with functions and predicates de- 
fined by higher-order rewrite rules. In this paper, we prove that almost all CIC can be seen as a 
CAC, and that it can be further extended with non-strictly positive types and inductive-recursive 
types together with non-free constructors and pattern-matching on defined symbols. 



1. Introduction 

There has been different proposals for defining inductive types 1 and functions in typed systems. In 
Girard's polymorphic A-calculus or in the Calculus of Constructions (CC) [10], data types and functions 
can be formalized by using impredicative encodings, difficult to use in practice, and computations are 
done by /3-reduction only. In Martin-Lof 's type theory or in the Calculus of Inductive Constructions 
(CIC) [11], inductive types and their induction principles are first-class objects, functions can be defined 
by induction and computations are done by /-reduction, the rules for cut-elimination in inductive proofs. 
For instance, for the type nat of natural numbers, the recursor 2 rec : (P : nat =>■ *)(<u : P0)(v : (n : 
nat) Pn =>■ P(sn))(n : nat)Pn is defined by the following /.-rules: 

rec P uv — ^ u 
rec P uv (s n) — *- t v n {rec P uv n) 

Finally, in the algebraic setting [12], functions are defined by using rewrite rules and computations 
are done by applying these rules. Since both /3-reduction and /-reduction are particular cases of higher- 
order rewriting [18], proposals soon appeared for integrating all these approaches. Starting with [16, 2], 

'All over the paper, by "inductive types", we also mean inductively defined predicates or families of types. 

2 (x : T)P is a usual type-theoretic notation for the dependent product or universal quantification "for all x of type T, P". 
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this objective culminated with [4, 5, 6] in which an important part of CIC (described in [5]) can be seen as 
a Calculus of Algebraic Constructions (CAC), an extension of CC with functions and predicates defined 
by higher-order rewrite rules. In this paper, we go one step further in this direction, capture almost all 
CIC and extend it with non-strictly positive inductive types and inductive recursive types [13]. 

Let us see two examples of recursors that are allowed in CIC but not in CAC [26]. The first example 
is a third-order definition of finite sets of natural numbers (represented as predicates over not): 

fin : (nat 
empty : fin([y : nat]_L) 

add : (x : nat)(p : nat =4> *)finp =4> fin([y : nat]y = x V (p y)) 
rec : (Q : (nat *) => *)Q([y : nat]±) 

=4> ((x : nat)(p : nat =4> *)finp =4> Qp => Q([y : nat]y = x V (p y))) 

=> (p : nat -k)finp => Qp 

where _L is the false proposition and the weak recursor rec, i.e. the recursor for defining objects, is 
defined by the rules: 

rec Q uv p' empty — ► u 
rec Q u v p' (add x p h) — ► v x p h (rec Q u v p h) 

The problem comes from the fact that, in the output type of add, fin([y : nat]y = x V (p y)), the 
predicate p is not parameter of fin. This is why the corresponding strong recursor, i.e. the recursor 
for defining types or predicates, is not allowed in CIC (p could be "bigger" than fin) [9]. This can be 
generalized to any big/impredicative dependent type, that is, to any type having a constructor with a 
predicate argument which is not a parameter. Formally, this condition, called (16) in [6], safeness in [29] 
and -k-dependency for constructors in [31], can be stated as follows: 

Definition 1.1. (16) 

If C : (z : V)* is a type and c : (x : T)Cv is a constructor of C then, for all predicate variable x 
occurring in some Tj, there is some argument v ix = x. 

The second example is John Major's equality which is intended to equal terms of different types [20]: 

JMeq : (A : *)A =4> (B : *)B => * 
refl : (C : *)(x : C)(JMeq C x C x) 
rec : (A : *)(x : A)(P : (B : *)B => *)(P A x) 

=4> (B : *)(y : B)(JMeq AxBy)^(P By) 

where rec is defined by the rule: 



rec C x P h C x (refl C x) 



h 
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Here, the problem comes from the fact that, in the output type of refl, the argument for B is equal to the 
argument for A. This can be generalized to any polymorphic type having a constructor with two equal 
type parameters. From a rewriting point of view, this is like having pattern-matching or non-linearities on 
predicate arguments, which is known to create inconsistencies in some cases [15]. A similar restriction 
called ^-dependency for function symbols also appears in [31]. 

Definition 1.2. (Safeness) 

A rule // — > r with / : (x : T)U is safe if: 

- for all predicate argument xi, U is a variable, 

- if xi and Xj are two distinct predicate arguments, then k / lj. 

An inductive type is safe if the corresponding t-rules are safe. 

By using what is called in Matthes' terminology [19] an elimination-based interpretation instead of 
the introduction-based interpretation that we used in [6], we prove that weak recursors for types like 
fin or JMeq can be accepted, hence that CAC subsumes CIC almost completely. The only condition we 
could not get rid of is the safeness condition for predicate-level rewrite rules. So, we do not accept strong 
elimination on JMeq (strong elimination for fin is allowed neither in CIC nor in CAC [9]). On the other 
hand, we prove that CAC and CIC can be easily extended to non-strictly positive types (Section 8) and 
to inductive-recursive types (Section 9) [13]. 

2. The Calculus of Inductive Constructions (CIC) 

We assume the reader familiar with typed A-calculi [3]. In this section, we present CIC as defined in [32]. 
In order to type the strong elimination schema in a polymorphic way, which is not possible in CC, Werner 
uses a slightly more general Pure Type System (PTS) [3]. CC is the PTS with the sorts S = □}, the 
axioms A = {(*, □)} and the rules B = {(si, S2, S3) G 5 3 | «2 = S3}. Werner extends it by adding the 
sort A, the axiom (□, A) and the rules (*, A, A) and (□, A, A). In fact, he denotes ★ by Set, □ by Type 
and A by Extern. The sort * denotes the universe of types and propositions, and the sort □ denotes the 
universe of predicate types (also called kinds). For instance, the type not of natural numbers is of type 
*, * itself is of type □ and not =^ *, the type of predicates over not, is of type □. Then, Werner adds 
terms for representing inductive types, their constructors and the definitions by recursion on these types: 

• Inductive types. An inductive type is denoted by / = Ind(X : A) {C} where C is an ordered se- 
quence of terms for the types of the constructors of /. For instance, Nat = Ind(X : *){X, X =4* X} 
represents the type of natural numbers (in fact, any type isomorphic to the type of natural numbers). 
The term A must be of the form (x : A)* and the Cj's of the form (z : B)Xm with no X in rh. Fur- 
thermore, the inductive types must be strictly positive. In CIC, this means that, if Q = (z : B)Xm 
then, for all j, either X does not occur in Bj, or Bj is of the form (y : D)Xq and X occurs neither in 
D nor in q. 

• Constructors. The z-th constructor of an inductive type / is denoted by Constr(i, I). For instance, 
ConstriA, Nat) represents zero and Constr(2, Nat) represents the successor function. 

• Definitions by recursion. A definition by recursion on an inductive type / is denoted by Elim(I, Q, a, 
c) where Q is the type of the result, a the arguments of / and c a term of type la. The strong elimina- 
tion (i.e. when Q is a predicate type) is restricted to small inductive types, that is, to the types whose 
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constructors have no other predicate arguments than the ones that their type have. Formally, an induc- 
tive type I = Ind(X : A) {C} is small if all the types of its constructors are small, and a constructor 
type C = (z : B)Xm is small if z are object variables (this means that the predicate arguments must 
be part of the environment in which they are typed; they cannot be part of C). 

For defining the reduction relation associated with Elim, called i-reduction and denoted by — > t , 
and the typing rules of these inductive constructions (see Figure 1), it is necessary to introduce a few 
definitions. Let C be a constructor type. We define A{I, X, C, Q, c} as follows: 

- A{I, X, Xm, Q, c} = Qmc 

- A{I, X, (z : B)D, Q, c] = (z : B)A{I, X, D, Q, cz} if X does not occur in B 

- A{I,X,(z : B)D,Q,c} = (z : B{X ^ I})({y : D)Qq(zy)) A{I,X,D,Q,cz} 
if B = (y : D)Xq 

Then, the i-reduction is defined by the rule: 

Elim(I,Q,x,Constr(i,I')z){f} ^ L A[I,X,d, fi,FunElim(I,Q, f)\z 

where / = Ind(X : A){C}, FunElim(I, Q, /) = [x : A][y : Ix]Elim(I, Q, x, y){f} and A[J, X, C, 
f, F] is defined as follows: 

- A[I,X,Xm,f,F] = f 

- A[I, X, (z : B)D, f, F] = [z : B]A[I, X, D, fz, F] if X does not occur in B 

- A[I,X,(z : B)D, f, F] = [z : B{X^I}]A[I,X,D, fz[y : D](Fq(zy)),F] if B = (y:D)Xq 

Finally, in the type conversion rule (Conv), in addition to /3-reduction and t-reduction, Werner con- 
siders ^-reduction: [x : T]ux — > v u if x does not occur in u. The relation <-^„ t is the reflexive, 
symmetric and transitive closure of — Note that, since is not confluent on badly typed terms 
[23], considering r/-reduction creates important difficulties. 

3. The Calculus of Algebraic Constructions (CAC) 

We assume the reader familiar with rewriting [12]. The Calculus of Algebraic Constructions (CAC) [6] 
simply extends CC with a set T of symbols and a set 1Z of rewrite rules (see Definition 3.3). 

Definition 3.1. (Terms) 

The set T of CAC terms is inductively defined as follows: 

t,u G T ::= s \ x \ f | [x : t]u | tu | (x : t)u 

where s G S = {*,□} is a sort, x G X is a variable, f G J 7 is a symbol, [x : t]u is an abstraction, tu 
is an application, and (x : t)u is a dependent product, written t =3- u if x does not freely occur in u. As 
usual, terms are considered up to a-conversion, i.e. up to sort-preserving renaming of bound variables. 
A term t is of the form a term u if t is a-convertible to ua for some substitution a. 

We denote by FV(t) the set of variables that freely occur in t, by Pos(t) the set of Dewey's positions 
in t (words on strictly positive integers), by t\ p the subterm of t at position p, by Pos(x,t) the set of 
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Ond) 



(Constr) 



(★-Elim) 



(□-Elim) 



Figure 1 . Typing rules for inductive constructions in CIC 

A = (x : A) * ThA-.a Vi, F, X : A h d : * 
/ = Ind(X : A){C} is strictly positive 
T \- I : A 

/ = Ind(X : A){C} V h / : T 
T h Constr(i,I) : Ci{X^/} 

A = (x:vl)* / = : r h Q : (x : A)Ix =► * 

Ti = A{I, X, d, Q, Constr(i, I)} 
Vj, r h cij : Aj{x i-> a} T h c : /a Vi, T h : T t 
r h Elim(I, Q, a, c){/} : Qac 

A = (x:A)* / = : is small rhQ:(i: A)ix => □ 

Ti = A{I, X, d, Q, Constr(i, I)} 
Vj, r h oj : i-> a} T h c : /a Vi, T h : 7* 

r h Elim(I, Q, a, c){/} : Qac 



r h t : T T <->* T' T\-T' : s 

(C°rrv) : l v — 

r h t : V 



positions p G Pos(t) such that t\ p is a free occurrence of x in i, and by dom(#) = {x € A? | x6 ^ x} the 
domain of a substitution 0. Let t denote a sequence of terms t\...t n of length \t\ = n > 0. 

Every x G A? U ^ is equipped with a sort s x . We denote by A" s (resp. T s ) the set of variables (resp. 
symbols) of sort s. Let FX s (t) = FV(t) n X s and dom s (6>) = dom(6>) n A" 5 . A variable or a symbol of 
sort * (resp. □) is an object (resp. a predicate). 

Although terms and types are mixed in Definition 3.1, we can distinguish the following three disjoint 
sub-classes where t G T denotes any term: 

- objects: o G O ::= x G X* \ f G T* \ [x : t]o \ ot 

- predicates: P G V ::= x G X u \ f G T Q \ [x : t]P | Pt | (x : t)P 

- predicate types or kinds: K G K, ::= ★ | (x : t)K 

Definition 3.2. (Precedence) 

We assume given a total quasi-ordering > on symbols whose strict part >=> \ < is well-founded, and 
let ~ = > n < be its associated equivalence relation. A symbol / is smaller (resp. strictly smaller) than 
a symbol g iff / < g (resp. / < g). A symbol / is equivalent to a symbol g iff / ~ g. 
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Figure 2. Typing rules of CAC 



(ax) 



(symb) 



(var) 



(weak) 



(prod) 



(abs) 



(app) 



(conv) 



h * : □ 

h V : s f 

T^T:s x 
T,x:Thx:T 

Fht:T r h U : s x 
T,x:Uht:T 

ThU-.s T,x:UhV:s' 
r h (x : U)V : s' 

F,x:Uhv:V T h (x : U)V : s 
V h [x : U]v : (x : U)V 

r h t : (x : U)V Thu:U 
r h tu : V{x i ^ 

r h i : T r h T' : s 



(x <£ dom(r)) 



(x $l dom(r)) 



r h t : V 



(T ipn T') 



Definition 3.3. (Rewrite rule) 

The terms only built from variables and applications of the form /fare called algebraic. A rewrite rule 
is a pair I — > r such that: 

- I is algebraic, 

- Z is not a variable, 

- FV(r) C FV(Z), 

- every symbol occurring in r is smaller than /. 

The rewrite relation — ^ induced by 1Z is the smallest relation containing 1Z and stable by context and 
substitution: t t' iff there exist p € Pos(i), I — > r G 1Z and cr such that t = t[la] p and i' = t[ra] p . A 
symbol / with no rule f I —> r £ 1Z is constant, otherwise it is (partially) defined. Let CT S (resp. VT S ) 
be the set of constant (resp. defined) symbols of sort s. 

Definition 3.4. (Typing) 

Every / € T is equipped with a type tj such that: 

- Tf is a closed term of the form (x :T)U with U distinct from a product, 
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- every symbol occurring in tj is strictly smaller than /, 

- for every rule /Z — > r G 7£, we have |/| < \x\. 

A constructor is any symbol / whose type is of the form (y : U)Cv with C € CT U . Let Cons be the set 
of constructors. A typing environment is a sequence of variable-type pairs. Given / of type (x : T)U, 
we denote by Tf the environment x : T. 

The typing relation of CAC is the relation h defined in Figure 2. Let h 9 (resp. h<) be the typing 
relation defined by the rules of Figure 2 with the side condition f < g (resp. / < g) in the (symb) rule. 

In comparison with CC, we added the rule (symb) for typing symbols and, in the rule (conv), we 
replaced \,p by {p-R,, where uj^v iff there exists a term w such that u — >^ w and v — to, — 
being the reflexive and transitive closure of — > /?^= — */3 U —>ti- This means that types having a common 
reduct are identified and share the same proofs: any term of type T is also of type T' if T and T' have a 
common reduct. For instance, a proof of P{2 + 2) is also a proof of P(4) if TZ contains the rules: 

x + — > x 

— > + 

This decreases the size of proofs by an important factor, and increases the automation as well. All 
over the paper, we assume that ^=^/3n is confluent. This is the case if, for instance, TZ is left-linear 
and confluent [22], like i-reduction is. 

A substitution 9 preserves typing from V to A, written 9 : V ^ A, if, for all x G dom(T), A h 
x9 : xF9, where xT is the type associated to x in F. Type-preserving substitutions enjoy the following 
important property: if V h t : T and 9 : T ~> A then A\~t9 :T9 (Lemma 24 in [5]). 

For ensuring the subject reduction property (preservation of typing under reduction, see Theorems 5 
and 16 in [6]), rules must satisfy the following conditions (see Definition 3 in [6]): 

Definition 3.5. (Well-typed rules) 

Every rule fl — > r is assumed to be equipped with an environment T and a substitution p such that, if 
Tf = (x : T)U and 7 = {x i-> I}, the following conditions are satisfied: 

- T h r : f/7/9, 

- VA, cr, T, if A h /cr : T then a : T ~> A and cr | pa. 

The first condition is decidable under the quite natural restriction that the typing of r does not need 
the use of fl — > r. The other conditions generally follow from the inversion of the judgment A\- la : T, 
and confluence for the condition a [ pa. Lemma 7 in [6] gives sufficient conditions for deciding that 
a : T^ A. 

The substitution p allows to eliminate non-linearities only due to typing. This makes rewriting more 
efficient and the proof of confluence easier. For instance, the concatenation on polymorphic lists (type 
list : ★ => ★ with constructors nil : (A : *)listA and cons : (A : *)A listA => UstA) of type 
(A : *)listA =^ UstA => UstA can be defined by: 



app A (nil A') I' 
app A (cons A' x I) V 
app A (app A' I V) I" 
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with r = A : *, x : A, I : list A, I 1 : list A and p = {A' i— > A}. Note that the third rule has no counterpart 
in CIC. Although app A (nil A') is not typable in T (since A' dom(r)), it becomes typable if we apply 
p. This does not matter since, if an instance app Aa (nil A' a) is typable then, after the typing rules, Aa 
is convertible to A' a. See [6] for details. 

We now introduce some restrictions on predicate-level rewrite rules, that generalize usual restrictions 
of strong elimination. Indeed, it is well known that strong elimination on big inductive types may lead to 
inconsistencies [9]. 

Definition 3.6. (Conditions on predicate-level rules) 

- For all F G T n , Fl-> r G K and x G FV n (r), there is k x such that l Kx = x. 

- Predicate-level rules have critical pairs with no rule. 

The first condition means that one cannot do matching on predicate arguments, hence that predicate 
variables are like parameters. 

The condition on critical pairs, which is satisfied by CIC recursors, allows us to define an interpre- 
tation for defined predicate symbols easily (see Definition 4.3). However, we think that this condition 
could be weakened. For instance, consider F : nat => * * => * and the rules: 

FOAB -> B 
F (s n) A B -> A^(FnAB) 

(F n A B) is the type of functions with n arguments of type A and output in B. So, it seems 
reasonable to allow rules derived from inductive consequences of these first two rules, like for instance: 

F(x + y)AB -» FxA(FyAB) 

We now prove a simple lemma saying that, for proving a property P for every typing judgment 
r h t : T, one may proceed by well-founded induction on the symbol precedence and prove that P holds 
for every typing judgment V \- g t : T when it holds for every typing judgment r \-f t : T such that 

/<<?• 

Lemma 3.1. We have (1) T h t : T and every symbol occurring in T, t, T smaller (resp. strictly smaller) 
than g if and only if (2) T h g t : T (resp. r h< t : T). 

Proof: 

(1) =>• (2). One can easily prove by induction on T h t : T that, (*) if F h t : T and every symbol 
occurring in T and t is smaller than g, then there exists T' such that T ^* T' and V \- g t : T' (see 
Lemma 54 in [5]). In the (symb) case, it uses the assumption that every symbol occurring in tj is strictly 
smaller than / (Definition 3.4). In the (conv) case, it uses confluence and the assumption that, for every 
rule // — > r, the symbols occurring in r are smaller than / (Definition 3.3). So, assume that T \- t : T 
and every symbol occurring in T, t, T is smaller than g. By (*), there exists T' such that T ^* T' and 
T h g t : T'. By type correctness (Lemma 28 in [5]), either T = □ or T h T : s. If T = □ then 
T' = T = a and T \- g t : T. Now, if T h T : s then, by (*) again, T \- g T : s. Thus, by (conv), 
r \- g t : T. The same holds with h<. 

(2) ^> (1). Easy induction on T \- g t : T. □ 
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Corollary 3.1. If h g : r g then h< r g : s g . 
Proof: 

It follows from Lemma 3.1 and the assumption that, for all /, every symbol occurring in tj is strictly 
smaller than / (see Definition 3.4). □ 



4. Strong normalization 

Typed A-calculi are generally proved strongly normalizing by using Tait and Girard's technique of re- 
ducibility candidates [14]. The idea of Tait, later extended by Girard to the polymorphic A-calculus, is 
to strengthen the induction hypothesis. Instead of proving that every term is strongly normalizable (set 
SAT), one associates to every type T a set [T] C SM, the interpretation of T, and proves that every term 
t of type T is computable, i.e. belongs to [T]. Hereafter, we follow the proof given in [6] which greatly 
simplifies the one given in [5]. All the definitions and properties of this section are taken from [6]. 

Definition 4.1. (Reducibility candidates) 

We assume given a set M C T of neutral terms satisfying the following property: if t G M and ueT 
then tu is not head-reducible. We inductively define the complete lattice TZt of the interpretations for the 
terms of type t, the ordering < t on TZt, and the greatest element T t G TZt as follows. 

_ JZ t = {$}, <t=C and T t = if t ^ □ and t is not of the form (x : f )*. 

- TZ S is the set of all subsets R C T such that: 
(Rl) R C SM (strong normalization). 

(R2) IfteR then = {if G T | i -► t'} C i? (stability by reduction). 
(R3) IfteM and -»•(*) C i? then t G i? (neutral terms). 
Furthermore, < S =C and T s = 

- TZt X :U)K is tne set of functions i? from TxTZjj to 7£r- such that S 1 ) = R(u', S) whenever u — > vf, 
R <(x-.u)K R' iff, for all (u, S) G T x 7^, 5) <x 5), and T {x:U)K (u, S) = T K . 

The exact definition of TV is not necessary at this stage. Moreover, the choice of Af may depend on 
the way predicate symbols are interpreted. The set that we will choose is given in Definition 5.3. 

Note that TZt = 7Z? whenever t — > t' (Lemma 34 in [6]). The proof that (TZt, <t) is a complete 
lattice is given in Lemma 35 in [6]. 

Definition 4.2. (Interpretation schema) 

A candidate assignment is a function £ from X to (J {TZt \ t G T}. An assignment £ validates an 
environment F, £ |= T, if, for all x G dom(r), xt; G TZ x r- An interpretation for a symbol / is an 
element of TZ Tf . An interpretation for a set Q of symbols is a function which, to every symbol g G Q, 
associates an interpretation for g. The interpretation of a term t w.r.t. a candidate assignment £, an 
interpretation 7 for J 7 and a substitution 9, is defined by induction on t as follows: 

• M| e = Tt if t is an object or a sort, 

• l x iie = x ^ 

• lf\le = If, 

• l(x:U)vV e = {teT\Vue luV e ,VSeTZu,tue [FH Se J, 
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. {[x:U}v\l e {u,S) = {v\l lfir 
• IHie = Miel 

where £f = £ U {x i-> 5} and = 6 U {i m m}. A substitution is I-adapted to a T-assignment 
£ if dom(#) C dom(r) and, for all x G dom(0), x9 G pr]| j6) . A pair (£,0) is (T,I)-valid, written 
£, (=/ T, if £ |= r and is /-adapted to £. A term t such that T h t : T is computable if, for all 
(r, J)-valid pair (£, 0), £0 G [T]| . A sub-system h' C h is computable if every term typable in it is 
computable. 

Thanks to the property satisfied by TV, one can prove that the interpretation schema defines reducibil- 
ity candidates: if T h t : T and £ |= T, then {tj 1 ^ G ^ T (see Lemma 38 in [6]). Note also that 

M| e = M|' e' whenever £ and £' agree on the predicate variables free in t, 9 and 0' agree on the 
variables free in t, and I and I' agree on the symbols occurring in t. 

Now, the difficult point is to define an interpretation / for every predicate symbol and to prove 
that every symbol / is computable, i.e. f G [r/] 7 . We define I by induction on the precedence, and 
simultaneously for the symbols that are in the same equivalence class. We first give the interpretation for 
defined predicate symbols. 

Definition 4.3. (Interpretation of denned predicate symbols) 

If every ti has a normal form t* and t* = la for some rule Fl — ► r G 1Z, then Ip(t, S) = a with 
X £ = S Kx . Otherwise, I F {t, S) = SAf. 

Sufficient conditions of well-definedness are given in [6]. Among other things, it assumes that, for 
every rule fl — > r, every symbol occurring in r is smaller than / (see Definition 3.3). 

In order for the interpretation to be compatible with the conversion rule, we must make sure that 
PI | e = P'l| e whenever T — > T' . This property is easily verified if predicate-level rewrite rules have 
critical pairs with no rule, as required in Definition 3.6 (see Lemma 65 in [6]). 

Now, following previous works on inductive types [21, 32], the interpretation of a constant predicate 
symbol C is defined as the least fixpoint of a monotone function ipc on the complete lattice 1Z TC . Fol- 
lowing Matthes [19], there are essentially two possible definitions that we illustrate by the case of nat. 
The introduction-based definition: 

<Pnat(I) = {t G SM \t SU^ue 1} 

and the elimination-based definition: 

<Pnat{I) = {t€T\ V(£, 9) (T, 7)-vaUd, rec P9 u9 v9 t G {Pn\\ fit } 

where V = P : nat P0, v : (n : nat)Pn P(sn). In both cases, the monotony of ip nat 

is ensured by the fact that nat occurs only positively in the types of the arguments of its constructors, a 
common condition for inductive types (for simple types, we say that X occurs positively in Y X and 
negatively in X =>■ Y). Indeed, Mendler proved that recursors for negative types are not normalizing 
[21]. Take for instance an inductive type C with constructor c : (C => nat) C. Assume now that we 
have p : C =>■ (C nat) defined by the rule p(cx) -^n x. Then, by taking uj = [x : C](px)x, we get 
the infinite reduction sequence u(cw) -^-p p(cuj){cuj) oj(cuj) -^-p . . . We now extend the notion of 
positive positions to the terms of CC (in Section 9, we give a more general definition for dealing with 
inductive-recursive types): 
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Definition 4.4. (Positive/negative positions) 

The sets of positive positions Pos + (t) and negative positions Pos~(t) in a term t are inductively defined 
as follows: 

- Pos 5 (s) = Pos 5 (x) = Pos 5 (/) = {e\6 = +}, 

- Pos 5 ((x : U)V) = l.Pos - *(l7) U 2.Yos 5 {V), 

- Pos 5 ([x : U]v) = 2.Yos & {v), 

- Pos 5 (tu) = l.Pos 5 (t), 

where e is the empty word, "." the concatenation, 5 G {— , +}, — V = — and = + (usual rules of 

signs). Moreover, if < is an ordering, we let <+=< and < =>. 

In [6], we used the introduction-based approach since this allowed us to have non-free constructors 
and pattern-matching on defined symbols, which is forbidden in CIC and does not seem possible with 
the elimination-based approach. For instance, in CAC, it is possible to formalize the type int of integers 
by simply taking the symbols : int, s : int int and p : int int, together with the rules: 

s (p x) — ► X 
p (s x) — > X 

It is also possible to have the following rule on natural numbers: 

x x (y + z) — > (x x y) + (x x z) 

To this end, we considered as constructor not only the usual (constant) constructor symbols but any 
symbol c whose output type is a constant predicate symbol C (perhaps applied to some arguments). Then, 
to preserve the monotony of (pc, matching against c is restricted to the arguments, called accessible, in 
the type of which C occurs only positively. We denote by Acc(c) the set of accessible arguments of c. 
For instance, x is accessible in sx since nat occurs only positively in the type of x. But, we also have x 
and y accessible in x + y since nat occurs only positively in the types of x and y. So, + can be seen as 
a constructor too, whose arguments are both accessible. 

With this approach, we can safely take: 

fnat{I) = {t<-SN\ V/, t fu Vj G ACC(/), Uj € [Uj] 1 ^} 

where / is any symbol of type (y : U)nat and 9 = {y <— > u}, whenever an appropriate assignment 
£ for the predicate variables of Uj can be defined, which seems possible only if the condition (16) is 
satisfied (see Definition 1.1). Here, since nat has no parameter, this condition is satisfied only if Uj has 
no predicate argument. 

As a consequence, if ft is computable then, for all j <G Acc(/), tj is computable (see Lemma 53 in 
[6]). This means that, when a rule applies, the matching substitution a is computable. This property is 
then used for proving the termination of higher-order rewrite rules by using the notion of computability 
closure of a rule left hand-side (see Definition 25 in [6]). The computability closure is defined in such 
a way that, if r is in the computability closure of // then, for all computable substitution a, ra is 
computable whenever the terms in la are computable (see Theorem 67 in [6]). 

As for first-order rewrite rules, i.e. rules with algebraic right hand-sides and variables of first-order 
data type only, it is well known since the pioneering works of Breazu-Tannen and Gallier [7], and Okada 
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[24], that their combination with non-dependent typed A-calculi preserves strong normalization. It comes 
from the fact that first-order rewriting cannot create new /3-redexes. This result can be extended to our 
more general framework if the following two conditions are satisfied: 

- Since we consider the combination of a set of first-order rewrite rules and a set of higher-order rewrite 
rules, and since strong normalization is not modular [30], we require first-order rewrite rules to be non 
duplicating (no variable occurs more times in a right hand-side than in a left hand-side) [28, 17]. 

- For proving that first-order rewrite rules preserve not only strong normalization but also computability, 
we must make sure that, for first-order data types, computability is equivalent to strong normalization. 

In fact, we consider a slightly more general notion of first-order data type than usual: our first-order 
data types can be dependent if the dependencies are first-order data types too {e.g. lists of natural numbers 
of fixed length). 

Definition 4.5. (First-order data types) 

Types equivalent to C we first-order data types 3 if, for all D ~ C, D : (z : V)*, {z} C X* and, for 
all d : (x : f)Dv, {x} C X* , Acc(d) = {1, . . . , |x|} and every Tj is of the form Ew with E < C a 
first-order data type too. 

5. Abstract recursors 

From now on, we assume that the set of constant predicate symbols CT n is divided in two disjoint sets: 
the set CTf ntro of predicate symbols interpreted by the introduction-based method of [6], and the set 
C^eiim °f predicate symbols interpreted by the elimination-based method of the present paper. 

We now introduce an abstract notion of recursor for dealing with the elimination-based method in a 
general way. 

Definition 5.1. (Pre-recursors) 

A pre-recursor for a symbol C : (z : V)* in CT^ lim is any symbol / £ Cons such that: 

- Tf is of the form (z :V)(z: Cz)W, 

- every predicate symbol occurring in W is smaller than C, 

- every rule defining / is of the form fz{ct)u — > r with c constant, z € X and FV(r) n {z} = 0, 

The form of a pre-recursor type may seem restrictive. However, since termination is not established 
yet, we cannot consider the normal form of a type when testing if it matches some given form. Moreover, 
in an environment, every two variables whose types do not depend on each other can be permuted without 
modifying the set of terms typable in this environment (see Lemma 18 in [5]). So, our results also apply 
on symbols whose type can be brought to this form by various applications of this lemma. 

Definition 5.2. (Positivity conditions) 

A pre-recursor / : (z : V)(z : Cz)W is a recursor if it satisfies the following positivity conditions: 4 

- no defined predicate F ~ C occurs in W: Pos(F, W) = 0, 
3 Called primitive in [6]. 

4 In Section 9, we give weaker conditions for dealing with inductive-recursive types. 
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- every constant predicate D ~ C occurs only positively in W: Pos(D, W) C Yos + {W). 

A recursor / of sort s/ = * (resp. □) is weak (resp. strong). We assume that every type C G C^elim 
has a non empty set lZec(C) of recursors, and that lZec(C) PI IZec(D) = whenever (7 and D are two 
distinct predicate symbols of CT^ lim . 

We now define a set of neutral terms (see Definition 4.1) that is adapted to both the introduction- 
based and the elimination-based approach. 

Definition 5.3. (Neutral terms) 

For the set M of neutral terms (see Definition 4.1), we choose the set of all terms not of the form: 

- abstraction: [x : T]u, 

- partial application: ft with / defined by some rule fl—*r with |/| > \t\, 

- constructor: ft with -ry = (y : U)Cv, \t\ = \y\, C G CT U , and / constant whenever C G CT^ lim . 

In comparison with Definition 31 in [6], we just added the restriction, in the constructor case, that / 
is constant if C G CT^ Um . This therefore changes nothing if C G CJ r ° ltro . 

We now define the interpretation of the equivalence class of a symbol C G CT^ lim . Since we proceed 
by induction on the precedence for defining the interpretation of predicate symbols, we can assume that 
an interpretation for the symbols strictly smaller than C is already defined. The set of interpretations for 
constant predicate symbols equivalent to C, ordered point-wise, is a complete lattice. We now define 
the monotone function ip on this lattice whose fixpoint will be the interpretation for constant predicate 
symbols equivalent to C. 

Definition 5.4. (Interpretation of constant predicate symbols from CT^ lirr ) 

If every ti has a normal form t* then ^{t, S) is the set of terms t such that, for all / G lZec(C) of 
type (z : V)(z : Cz)(y : U)V with V not a product, and for all y£ and y6, if £f , 0|* \=i y : U then 
ft*ty6 G {V} 1 3 u . Otherwise, tp^t, S) = SAT. 

This interpretation is well defined since, by Definition 5.1, every predicate symbol occurring in 
(y : U)V is smaller than C. Furthermore, one can easily check that (fQ is stable by reduction: if t — ► ? 
then ^(t, S) = ipf c (V, S). We now prove that (fQ(t, S) is a reducibility candidate. 

Lemma 5.1. R = ^(t, S) is a reducibility candidate. 

Proof: 

(Rl) Let t G R. We must prove that t G SM. Since lZec{C) ^ 0, there is at least one recursor /. Take 
Vid = y { and y£ = T Ur We clearly have £f , d% |=/ 

Now, since S satisfies (Rl), ft*ty G SM and t G SM. 
) Let t G R and t' G —*(t). We must prove that t' G R. 

follows from the fact that ft*ty9 G S (since t £ R) and 5 satisfies (R2). 



yi = Vl and y£ = T Uv We clearly have ff, 4* H V ■ U. Therefore, /f*ty G S* = - . 

(R2) Let t £ R and t' G We must prove that t' G R, hence that /f*t'y19 G S* = [F]^ u . This 
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(R3) Let t be a neutral term such that — C R. We must prove that t G R, hence that u = ft*ty9 G 
5 = lV] T g r . Since u is neutral and 5 satisfies (R3), it suffices to prove that — »(it) C 5. Since 

y!9 € SAf by (Rl), we proceed by induction on yO with — > as well-founded ordering. The only 
difficult case could be when u is head-reducible, but this is not possible since t is neutral. 

□ 

The fact that ip is monotone, hence has a least fixpoint, follows from the positivity conditions. 

Lemma 5.2. Let I </ /' iff// < I) and, for all g ^ f, I g = I' g . If I < f I', Pos(/,t) C Pos^t), 
r h t : T and C N P then [t]£ fl 

Proof: 

By induction on t. 

- My = t s = wi;,. 

- = < = \x\le- 

- Let 12 = and # = [s^. i? = J p (t&, 5) with 5 = \^\ fi . R' = I' g (t9, S') with S> = 
Since Pos(/, I) = 0, 5 = 5'. Now, if f = g then 1? < 1?' and (5 = + necessarily. Otherwise, 1? = R'. 

- Let 1? = [(x : U)V\\ fi and 1?' = [(x : U)V\£ e . R = {t G T | Vu G [E^.VS G ft[/,tu G 

[v]^}. R' = {t g r | vu g [f/]|; e ,v5 eW,«« g M^.flg}- Since Pos<5 (( x : u ) v ) = 

l.Pos- 5 ([/) U 2.Pos 5 (V), Pos(/, U) C Pos _5 ({7) and Pos(/, V) C Pos 5 (y). Therefore, by induc- 
tion hypothesis, <~ 5 and < 5 WV^s^ So, 1? < 5 1?'. Indeed, if 5 = +, 

t £ R and u G [E/]£ fl C [L/]£ fl then in G vh\s,g. Q and t G R' . If <J = -, t G 1?' and 

« e ^ then to G [F]' eu C [V]f s J u and f G R* 

s ' s ' S x "x >"x 

- Let R = \[x : U]v}^ e and R' = \[x : U]v}^ e . R and R' have the same domain T x TZjj and the same 
codomainfty. R{u,S) = [v}L » u and R'{u,S) = [uH, Sflu . Since Pos 5 ([x : C/]v) = 2.Pos 5 (t;), 
Pos(/, u) C Pos 5 (t;). Therefore, by induction hypothesis, R(u, S) < s R'(u, S) and R < s R' . 

- Let R = ltu}l e and R' = {tu} 1 ^. R = [tl^nd, S) with S = [u][ e . R' = {tf^ue , S') with 
S' = \ufl e . Since Pos 5 (to) =' l.Pos 5 (t), Pos(/, t) C Pos 5 (t) and Pos(/, u) = 0. Therefore, 
5 = 5' and, by induction hypothesis, \tf ifi < & [t]g . So, R < s R' . 

□ 

Lemma 5.3. ip is monotone. 
Proof: 

Let I < J. We must prove that, for all C, t, S, ^{t, S) C ^(t, S 1 ). If some has no normal form 
then (fc(t, S) = <Pc(t, S) = SAf. Assume now that every ij has a normal form t*. Let t G (f^it, S), 
f G Kec(C) with r f = (z : V)(z : Cz)(y : U)V, yi and y9 such that ^f, 0g \=j y : U. We must 
prove that /t*t^ G [V] J s - f( . ^f, 0g \=j y : U means that y«9 G [C/] J S - f( . 
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Let W = (y : U)V. By assumption, for every D ~ C, Pos(L>,VF) C Pos + (VF). Thus, 
Pos(L>,£/) C Pos~(f7) and Pos(L>,F) C Pos+(y). Hence, by Lemma 5.2, £f,0|* N y : ^ and 
Mf* e r t C [F] J . Thus, € [V]' ^ . " □ 

6. Admissible recursors 

Now, for getting termination of (3U1Z, we need to prove that every symbol / is computable, i.e. f G Jry]. 
To this end, we give general conditions on recursors. We focus on what is new and refer the reader to 
[6] for the other cases. After Lemma 3.1, we know that we can proceed by induction on the precedence 
for proving the computability of well-typed terms. So, when defining conditions on a symbol /, we 
can always assume w.l.o.g. that \-J is computable, i.e. terms with symbols strictly smaller than / are 
computable (see Definition 4.2). In particular, every subterm of tj is computable (see Corollary 3.1). 

Definition 6.1. (Admissible recursors) 

Let C : (z : V)* be a constant predicate symbol such that lZec{C) / 0. We assume that every symbol 
c : (x : T)Cv is equipped with a set Acc(c) C {1, . . . , |x|} of accessible arguments. A constructor of 
C is any constant symbol c : (x : T)Cv. 

The set 1Zec(C) is complete w.r.t. accessibility if, for all constructor c : (x : T)Cv, j G Acc(c), xr\ 
and xa, if i] \= T c , va <G SAf and cxa € [Ct/]^^ then XjO G Pjl^o-- 

A recursor f : (z : V)(z : Cz)(y : U)V is head-computable w.r.t. a constructor c : (x : T)Cv if, 
whenever \-J is computable, for all xrj, xa, y£, y9, S = \v\n,o sucn that rj, a \= T c and £f , Q v £f c \= 
y : U, every head-reduct of fva(cxa)y9 belongs to \V} § nvacxa- A recursor is head-computable if it 
is head-computable w.r.t. every constructor of C. lZec(C) is head-computable if all its recursors are 
head-computable. 

lZec(C) is admissible if it is head-computable and complete w.r.t. accessibility. 

Completeness w.r.t. accessibility exactly insures that, if ct is computable then, for all j G Acc(c), 
tj is computable (Lemma 53 in [6]), hence that non-recursor higher-order symbols are computable (see 
Lemma 68 in [6]). We now prove that the elimination-based interpretation of first-order data types is 
SAf, hence that first-order symbols are computable (see Lemma 63 in [6]). 

Lemma 6.1. If C is a first-order data type and lZec(C) is head-computable then Ic(t, S) = SAf. 

Proof: 

First note that Si = since {z} C X* '. So, we do not write S in the following. By definition, for all t, 
now prove that, if t G SM then, for all i, t G Ic{t)> by induction on t with — > U t> as 
well-founded ordering. If some ti has no normal form then t G Ic(t) = SAf. Assume now that every 
ti has a normal form t*. Let f : (z : C)(y : U)V be a recursor of C, y£, y6 and a = such that 
£, a \= y : U. We must prove that v = ft*tyO G S = {V}^. Since v is neutral, it suffices to prove 
that C S 1 . We proceed by induction on tyO with — > as well-founded ordering (yi9 G 5AA by Rl). 

If the reduction takes place in tyO, we can conclude by induction hypothesis. Assume now that v' is a 
head-reduct of v. By assumption on recursors, t is of the form cu with c : (x : T)Cv. Let 7 = {s^ u}. 
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Since C is a first-order data type, every Uj is accessible and every Tj is of the form Dw with D a first- 
order data type too. Thus, by induction hypothesis, for all j, uj G Id{wj). Therefore, 0,7 |= T c and 
v' G S since £, a \= y : U and recursors are assumed to be head-computable. □ 

Lemma 6.2. Head-computable recursors are computable. 

Proof: 

Let f : (z : V)(z : Cz)(y : U)V be a recursor and assume that £,6 \= Ff. We must prove that 
v = fzOzOyO G S = [V]^. Since v is neutral, it suffices to prove that —>(?;) C £. We proceed by 
induction on z9z9y9 with — > as well-founded ordering (z9z9y9 G S-A/" by Rl). If the reduction takes 
place in z9z9y9, we conclude by induction hypothesis. Assume now that we have a head-reduct t> '. By 
definition of recursors (see Definition 5.1), z9 is of the form cu with c : (x : T)Cv, and v' is also a head- 
reduct of vq = f(z9)*z9y9. Since £,6 \= Ff, we have z9 = cu £ fCzj^g = Ic{z9, z£). Therefore, by 
definition of I c , v G S and, by (R2), v' G S. □ 

Lemma 6.3. (Computability) 

For all g, if h< is computable then \- g is computable. 

Proof: 

We prove that, if F h g t : T and 77, a |= T then G [T]^ )CT , by induction on F \- g t : T. We only detail 
the (symb) case. The other cases are detailed in Lemma 66 in [6]. So, assume that \- g f : Tf. If / < g 
then, by Lemma 3.1, h< / : Tf and / is computable since h< is assumed to be computable. Otherwise, 
/ ~ g and \-J =\~f. If / is a recursor then we can conclude by Lemma 6.2. So, assume that / is not a 

recursor and that r/ = (x : T)U with U distinct from a product. By Definition 4.2, / is computable iff, 
for all Tj-valid pair (rj,a), t = fxa G R = {UJw 

If t is neutral then, by definition 4.1, it suffices to prove that — >(t) C R, which follows from Lemmas 
63 and 68 in [6]. Assume now that t is not neutral. Then, U = Cv with C G CT a , and R = Ic(va, S) 
with S = fvlr},<7- If C G CTf ntro then, again, it follows from Lemmas 63 and 68 in [6]. Otherwise, 
C G CT^ lim and, by Definition 5.1, / is constant. 

By Corollary 3.1, \-J Tf : Sf. Since, by assumption, \-J is computable, by (Rl), va G SM. So, 

let g : (z : V)(z : Cz)(y : U)V be a recursor of C, y£ and y9 such that £f , 0f{ Sa |= y : U. We 
must prove that v = g(va)*(fxa)y9 G S = {Vj § flC(T /s<7- Since v is neutral, it suffices to prove that 

—*(v) C S. By (Rl), X(jyi9 G SAf. So, we can proceed by induction on xay9 with — > as well-founded 
ordering. No reduction can take place at the top of /fa since / is constant. In the case of a reduction 
in xay9, we conclude by induction hypothesis. Finally, in the case of a head-reduction, we conclude by 
head-computability of g. □ 

We can now state our main result: 

Theorem 6.1. (Strong normalization) 

(3U1Z preserves typing and is strongly normalizing if: 

- j3 U 1Z is confluent 5 (if there are predicate-level rules), 

- rewrite rules are well-typed, 

5 Again, this is the case if, for instance, TZ is confluent and left-linear [22]. 
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- every constant predicate symbol C G CT^ Um is equipped with an admissible set lZec{C) of recursors, 

- strong recursors and non-recursor symbols satisfy the conditions given in Definition 29 in [6]. 

Proof: 

After Lemma 3.1, we can proceed by induction on the precedence. Hence, by Lemma 6.3, every well- 
typed term is computable. Let t be a term such that T \- t : T. With x9 = x and xt; = T x r, we clearly 
have £, 9 \= V since, by Lemma 33 in [6], variables are elements of every candidate. Thus, by (Rl), 
t e SAT. □ 

As an application example of this theorem, we prove just below the admissibility of a large class of 
recursors for strictly positive types, from which Coq's recursors [8] can be easily derived (see Section 7). 
Before that, let us remark that the condition 16 and the safeness condition described in the introduction 
(Definitions 1.1 and 1.2 respectively) are not necessary anymore for weak recursors. On the other hand, 
the safeness condition is still necessary for non-recursor symbols and strong recursors on types like 
JMeq. 

Definition 6.2. (Canonical recursors for strictly positive types) 

Let C : (z: V)* and c be strictly positive constructors of C, that is, if q is of type (x : T)Cv then either 
no type equivalent to C occurs in Tj or Tj is of the form (a : W)Cw with no type equivalent to C in 
W. The parameters of C are the biggest sequence q such that C : (q : Q)(z : V)* and each a is of type 
(q: Q)(x : f )CqV with Tj = (a : W)Cqw if C occurs in Tj. 

The canonical weak recursor of C w.r.t. c is rec*. : (q : Q)(z : V)(z : Cqz)(P : (z : V)Cqz ^ *) 
(y : U)Pzz with U t = (x : f)(x' : f')Pv(ciqx), Tj = (a : W)Pw(xja) if Tj = (a : W)Cqw, and 
Tj = Tj otherwise, defined by the rules rectqz^iq 1 x)Py — > yixH where q, z, if, x, P, y are variables, 
t'j = [a : W](rectqw(xja)Py) if Tj = (a : W)Cqw, and t'j = Xj otherwise. 6 

The canonical strong recursor 7 of C w.r.t. c and P = [z : V][z : Cqz\Q is rec? : (q : Q)(z : V) 
(z : Cqz)(y : U)Q with U { = (x : f){x' : f')Q{z i-> v , z i-> aqx}, Tj = (a : W)Q{z i-> w,z ^ 
Xjd} if Tj = (a : W)Cqw, and Tj = Tj otherwise, defined by the rules rec?qz(ci(fx)y —>■ yixv where 
q, z, (f, x, y are variables, tj = [a : W](recS qw(xjd)y) if Tj = (a : W)Cqw, and tj = Xj otherwise. 

Lemma 6.4. The rules defining canonical recursors preserve typing. 
Proof: 

For the rule rectqz(ci(fx)Py — > yixv, take V = q : Q,x : T, P : (z 
p = {z v,(f q}. We prove the conditions required in Section 3: 

- One can easily check that T h y^xF : Pv(ciqx). 

- Assume now that A h (rectqz(ci(fx)Py)a : T. We must prove that cr 
properties follow by inversion of the typing judgment and confluence. 

The proof is about the same for strong recursors. 

Lemma 6.5. The set of canonical recursors is complete w.r.t. accessibility.* 

6 We could erase the useless arguments tj = Xj when Tj = Tj as it is done in CIC. 
'Strong recursors cannot be defined exactly like weak recursors by simply taking P : (z : V)Cqz => □ since (z : V)Cqz => □ 
is not typable in CC. They must be defined for each P. That is why Werner considered a slightly more general PTS in [32]. 
8 In [32] (Lemma 4.35), Werner proves a similar result. 



: V)Cqz =¥■ *,y : U and 

: T ~> A and a j pa. Both 

□ 
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Proof: 

Let c = a : (q : Q)(x : T)Cqvbe a constructor of C : (q : Q)(z : V)*, qrj, xi], qa and xa such 
that qava G SAT and cqaxa G \Cqv\n,cj = Ic{q&va,qrjlvl Vt(7 ). Let a = qx and A = QT. We 
must prove that, for all j, aja £ [^.j]r?,o-- For the sake of simplicity, we assume that weak and strong 
recursors have the same syntax. Since qava have normal forms, it suffices to find P and u such that 

rec c qv(ca)Pu -> ux? aj. Take P = [z : V] [z : Cqz\Aj and u = [x : f } [x' : T']a,j. □ 

Lemma 6.6. Canonical recursors are head-computable. 
Proof: 

Let / = rec* : (q : Q)(z : V)(z : Cqz)(P : (z : V)Cqz => *){y : U)Pzz be the canonical weak 
recursor w.r.t. c, T = (z : V)Cqz *, c = Cj : (q : Q)(x : T)Cqv, qrj, qa, xtj, xa, P£, P8, 
y£, yO, R = [v\ v , ff , £' = and 0' = ^f' 7 , and assume that h< is computable, r),a \= T c and 
rjg, a6' \= P : T,y : U. We must prove that yiOxatfaO G [P-zz]^'. 

We have yi G ^ = (x : f)(f : f')Pv(cqx) and G [Tj]„ ><y = [T^,^. We prove 

that ^cr0 G {Tjj^'^e'. If T- = Tj then t^aO = xja and we are done. Otherwise, Tj = (a : W)Cqw, 
Tj = (a : W)Pw(xjd) and t'- = [a : W]fqw(xjd)Py. Let a( and dry such that <70'7 |= a : W. 
Let t = Xjaaj. We must prove that i> = fqawa^tPOyO G 5 = [PitJ(xja)]^'^ i0 -e' 7 - Since u is neutral, 
it suffices to prove that — C S*. 

By (Rl), we have qatPOyO G <SA/". Since hj? is computable and w is a subterm of r/, by (Rl), we 
also have W7 G Thus, we can proceed by induction on qawajtPOyO G with — > as well- 
founded ordering. In the case of a reduction in qawa^tPOyO, we conclude by induction hypothesis. 
Assume now that we have a head-reduct v'. By definition of recursors, v' is also a head-reduct of 
v o = f {&)* {wa^f)*tP6y9 where (qa)* (waj)* are the normal forms of qawaj. If uo G S then, by 
(R2), i/ G S. So, let us prove that v G 5. 

By candidate substitution (Lemma 40 in [6]), S = \Pzz] § ^ ait withS'= [t?]^'c,o-6»'7 = [^]r/^c,^7 

for FV(w) C {g,P,x,a}. Since ^cr G 1^]^/^^ and ^'(,^'1 \= a : W,t £ {Cqwj^^e^ = 
I c {qawa~f, q£S). Since n?, a6' \= P :T,y:U and FV(T[7) C {9, P}, we have r£, a6 |= P : T, y : 
[7 and 77^f, a0j ,77 ' z ^P:T,y:U. Therefore, w G S. 

The proof is about the same for strong recursors. □ 

7. Application to CIC 

It follows that C AC subsumes CIC almost completely. However, Theorem 6. 1 cannot be applied to CIC 
directly since CIC and CAC do not have the same syntax and the same typing rules. So, we define a 
sub-system of CIC, called CIC - , whose terms can be translated into a CAC satisfying the conditions of 
Theorem 6.1. 

The i-reduction of CIC introduces many /3-redexes and the recursive calls on Elim are made on 
bound variables which are later instantiated by structurally smaller terms. Instead, we consider the 
relation — >g t / where one step of — v corresponds to a ^-reduction followed by as many /3-reductions as 
necessary for erasing the /3-redexes introduced by the t-reduction. This is this reduction relation which 
is actually implemented in the Coq system [8]. Moreover, we conjecture that the strong normalization of 
— >0 t / implies the strong normalization of —>p L . 
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Definition 7.1. (//-reduction) 

The i' -reduction is the reduction relation defined by the rule: 

Elim(I,Q,x,Constr(i,I') z){f} A' [J, X, d, f u Q, f, z] 

where I = Ind(X : A){C} and A' [7, X, C,f,Q, f, z\ is defined as follows: 

- A'[I,X,Xm,f,Q,f,(b] = f 

- A'[I, X, (z : B)D, f, Q, f, zz\ = A' [I, X, D, fz, Q, z\ if X £ FV(B) 

- A'[I, X, (z : B)D, f, Q, f, zz\ = A'[I, X, D, fz [y : D]Elim(I, Q, q, zy), Q, z\ if B = (y : D)Xq 

We now define the sub-system of CIC (see Figure 3) that we are going to consider: 
Definition 7.2. (CIC ) 

• We exclude any use of the sort A in order to stay in the Calculus of Constructions. 

• In the rule (conv), instead of requiring T T', we require T <-^ t , X" which is equivalent to 
T T' since is confluent (orthogonal CRS [25]). 

• In the rule (Ind), we require I to be in normal form w.r.t. —*p L i (set NT) and to be typable in the 
empty environment since, in CAC, the types of symbols must be typable in the empty environment. 
This is not a real restriction since any type I = Ind(X : A){C} typable in an environment V = y : U 
can be replaced by a type I' = Ind(X' : A'){C'} typable in the empty environment. It suffices 
to take A' = (y : U)A, C[ = (y : U)Ci{X i-> X'y} and to replace I by I'y and Constr(i,I) 
by Constr(i, I')y. Furthermore, we adapt the definition of small constructor type accordingly. A 
constructor type C of an inductive type I = Ind(X : A){C} with A = (x : A)* is small if it is of the 
form (a? : A')(z : B)Xm with x' : A' a sub-sequence of x : A and {z} n X u = 0. 

• In the rule (*-Elim), we require Q to be typable in the empty environment, and add explicit typing 
judgments for Tj and I. Again, it is not a real restriction since we can always replace an environment 
by additional abstractions. 

• In the rule (□-Elim), instead of requiring h Q : (x : A)Ix □, which is not possible in CC, we 
require Q to be of the form [x : A][y : Ix]K with x : A,y : Ix h K : □ (this just requires some r\- 
expansions) and /, to be of type Tj = A'{7, X, Ci, xy, K, Constr(i, I)} where A' {I, X, C, xy, K, c} 
is defined as follows: 

- A' {I, X, Xfh, xy, K, c} = K{x i— > m,y i— > c}, 

- A'{I,X, (z:B)D,xy,K,c} = 

(z : B{X ' ^ 7})((y : D)K{x ^q,y^ zy}) =}► A' {I, X, D, xy, K, cz} if B = (y : D)Xq. 

Moreover, we require Q to be in normal form and Tj to be typable. We also take V h Elim(I, Q, a, c) 
{/} : K{x d,y ^ c} instead of T h Elim(I, Q, a, c){f} : Qac. Finally, we require I to be safe 
(see Definition 1.2): if A = (x : A)* and Q = (z : B)Xm then: 

- for all Xi G X n , G X n , 

- for all Xi, Xj £ X D with i ^ j, rrii / rrij. 

We now show that CIC~ can be translated into a CAC satisfying the conditions of Theorem 6.1. 
Definition 7.3. (Translation) 

We define (t) on well-typed terms, by induction on T h t : T: 
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Ond) 
(Constr) 



(★-Elim) 



(□-Elim) 



(Conv) 



Figure 3. Typing rules of CIC 

A = (x : A)* hA:a Vi, X : A h d : * 
7 = 7nd(X : A) {(7} G NT is strictly positive 
h / : A 

7 = Ind(X : A){C} V h / : T 
r h Constr (i, I) : d{X^I} 

A = {x:A)* I = Ind(X : A){C] T \- I :T \- Q : (x : A)Ix * 
Tj = A{7,X,Q,Q, Constr^, 7)} h Tj : * 
Vj, r h aj : ^ a} The: la Vi, T h : Tj 

r h Elim(I, Q, a, c){/} : Qac 

A = (x : t4) * 7 = Ind(X : ,4){C} is small and safe 
Q=[x:A][y: Ix]K € NT x : A,y : Ix h 7C : □ 
Ti = A{7, X, Cj, xy, 7C, Constr(i, I)} h Tj : □ 
Vj, r h a j : ^ a} r h c : 7a Vi, T h /j : Tj 

T h Elim(I, Q, a, c){f} : K{x \— > a, y i— > c} 

r h t : T T t , T" r h f : s 
r h t : T' 



• If 7 = Ind(X : A){C} then (7) = Indj where Indj is a symbol of type (A). 

• (Constr (i, I)} = Constr \ where Constr \ is a symbol of type (Ci{X 7}). 

• If Q is not of the form [x : A][y : Ix}(y : U)* then (Elim(I,Q,a,c){f}) = WElimi (Q) (a) (c) (/) 
where WElimi is a symbol of type (Q : (x : (A))(I)x *)(x : (l))(y : (7}x)(/ : (f))(Q)xy. 

• If Q = [x : A][y : Ix]K with K = (y : 17)* then (Elim(I, Q, a, c){f}} = SElimf (a) (c) (/) where 
SElimf is a symbol of type (x : (A))(y : (7)x)(/*: (f)){K). 

• The translation of the other terms is defined recursively: = (it) (v), .. . 

Let T be the CAC whose symbols are 7nd/, Constr}, WElimi and SElimf, and whose rules are: 

WEZimj Q x (Constr/ z) / - A' w [7, X,d,fi,Q, f, A 
SElim® x [Constr* z) f -» A' S [I , X,d, fi,Q, f, z\ 

where A^[7, X, C, /, Q, /, z] and A' s [7, X, C, /, Q, /, z] are defined as follows: 
- A' W [I, X, Xm, f, Q, f, z\ = A' S [I, X, Xm, f, Q, f, z\ = f, 
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- A' S [I, X, (z : B)D, f, Q, f, zz\ = A' S [I, X, D, f z, Q, f, z\ and 

A' W [I, X, (z : B)D, f, Q, f, zz\ = A' W [I, X, D, f z, Q, f, z\ifX<£ FV(B) 

- A' S [I, X, (z : B)D, f, Q, f, zz\ = A' S [I, X,D,fz[y: D]SElimf fq(zy), Q, f, z\ and 
A' W [I, X, (z : B)D, f, Q, f, zz\ = A' W [I, X,DJz[y: D]WElim I Qfq{zy), Q, f, z\ 
HB = (y:D)Xq 

Let be the typing relation of T. 

Theorem 7.1. The relation — in CIC~ preserves typing and is strongly normalizing. 
Proof: 

First, one can easily check that the translation preserves typing and reductions: 

- If T h t : Tthen (F) h r {t) : (T). 

- If T h t : T and t -^p L , t' then (t) -> (*'). 

Thus, we are left to prove that T satisfies the conditions of Theorem 6.1. The symbols WElimi and 
SElim® are the canonical recursors of Indi w.r.t. the constructors Constrj (see Definition 6.2). Hence, 
subject reduction follows from Lemma 6.4, and the fact that TZec(Indr) = {WElimi , SElimf} is 
admissible follows from Lemma 6.5 and Lemma 6.6. □ 



8. Non-strictly positive types 

We are going to see that the use of elimination-based interpretations allows us to have functions defined 
by recursion on non-strictly positive types, while CIC has always been restricted to strictly positive 
types. An interesting example is given by Abel's formalization of first-order terms with continuations as 
an inductive type trm : * with the constructors [1]: 

var : nat trm 
fun : nat (list trm) => trm 
mu : -^^trm trm 

where list : * * is the type of polymorphic lists, ->X is an abbreviation for X =>■ _L (in the next 
section, we will prove that -> can be defined as a function), and _L : ★ is the empty type. Its recursor rec : 

(A : *)(yi : nat =>■ A) (yi : nat list trm list A A)(y% : ->-itrm =>■ ->->A =>■ A)(z : trm) A 
can be defined by the rules: 

rec A y\ j/2 U3 (var n) — ► y± n 
rec A y\ y<i y% (fun nl) — > yi n l (map trm A (rec A y\ yi y%) I) 
rec A yi y 2 2/3 (mu f) -> y 3 / [x : ~^A](f [y : trm)(x (rec A y x y 2 y 3 y))) 

where map : (A : *)(B : *)(A =4> B) list A list B is defined by the rules: 

map AB f (nil A') — »■ (nil B) 
map AB f (cons A' x I) — > cons i? (/ x) (mop A B f I) 
map AB f (app A' I V) — > app S (map A B f I) (map A B f I') 
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We now check that rec is an admissible recursor. Completeness w.r.t. accessibility is easy. For 
the head-computability, we only detail the case of mu. Let fa, t = mu fa, A£, AO and yO such 
that 0, a \= T mu and £, a9\ \= T = A : y : U where U\ is the type of yi. Let b = recAOyO, 
c = [y : trm](x(by)) and a = [x : ~^A0](fac). We must prove that y^Ofaa G [AJ^ ^t = A^. 

Since £, cr#* |= T, G [-.-.trm =>■ -.-.A A \ifi- Since 0, cr |= T mu , fa G [-i-tfrm]. Thus, we 
are left to prove that a G [-i-iAf^, that is, facj G I± for all 27 G [-iA]^. Since fa G [->-iirm], it 
suffices to prove that cj G [-tfrm], that is, xy(byy) G I± for all 1/7 G Itrm- This follows from the facts 
that xj G [->^4]g,fl and by-f G A£ since yy G / trm . 

A general proof could certainly be given by using a general formalization of inductive types like in 
[19] for instance. 

9. Inductive-recursive types 

In this section, we define new positivity conditions for dealing with inductive-recursive type definitions 
[13]. An inductive-recursive type C has constructors whose arguments have a type Ft with F defined 
by recursion on t : C, that is, a predicate F and its domain C are defined at the same time. 

A simple example is the type dlist : (A : *)(# : A =>■ A =>■ ★)* of lists made of distinct elements 
thanks to the predicate fresh : (A :*)(#: A A *)^4 =>■ (dlist A #) * parametrized by a 
function # to test whether two elements are distinct. The constructors of dlist are: 

nil: (A : *)(#:A=>A=>*)(cUistA#) 
cons:(A : *)(#'.A=>A=>*)(x : : dlist A#)(fresh A # x I) (dlist A#) 

and the rules defining fresh are: 

/res/i A # x (mZ A') -> T 
fresh Aj^x (cons A' y I h) — > x#y A fresh Aj^xl 

where T is the proposition always true and A the connector "and". Other examples are given by Martin- 
Lof 's definition of the first universe a la Tarski [13] or by Pollack's formalization of record types with 
manifest fields [27]. 

For allowing defined predicate symbols in constructor types, we must extend the notion of positive 
and negative positions by taking into account the arguments in which a defined predicate symbol is mono- 
tone or anti-monotone. We must also make sure that defined predicate symbols are indeed monotone and 
anti-monotone in the arguments declared to have this property. 

Definition 9.1. (Positive/negative positions - New definition) 

Assume that every predicate symbol f : (x : T)U with U not a product is equipped with a set 
Mon + (/) C A^ = {i < \x\ \ x\ G A D } of monotone arguments and a set Mon~(/) C A° of 
anti-monotone arguments. Definition 4.4 is modified as follows: 

- Pos 5 (ft) = {ll*l I 8 = +} U U{l l * 1_i 2.Pos e,5 (ti) I e G {-,+}, i G Mon e (/)}, 

- Pos 5 (tu) = l.Pos 4 (t) if t is not of the form ft. 
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For instance, in the positive type trm of Section 8, instead of considering ->A as an abbreviation, one 
can consider as a predicate symbol defined by the rule ->A —> A =>- _L with Mon - (-i) = {1}. Then, 
one easily check that A occurs negatively in A =>■ _L, and hence that trm occurs positively in -i-itrm 
since Pos + (->->trm) = {1} U 2.Pos~(^trm) = {1} U 2. 2. Pos + (trm) = {1, 2.2}. 

Definition 9.2. (Positivity conditions - New definition) 

Definition 5.2 is modified as follows. A pre-recursor / : (z : V)(z : Cz)W is a recursor if: 

- every F ~ C occurs only positively in W, 

- if t € Mon 5 (C) then Pos( Zi , W) C Pos*(W). 

Moreover, we assume that, for every rule Fl — > r G 72. with F G JP" D : 

- for all i G Mon e (F), G ^ n and Posft, r) C Pos e (r). 

Now, we must reflect these monotony properties in the interpretations. Then, Theorem 6.1 is still 
valid if we prove that the interpretations for constant and defined predicate symbols have all the monotony 
properties. 

Definition 9.3. (Monotone interpretation) 

Let S <i S' iff Si < S[ and, for all j ^ i, Sj = S'j. Let F be a predicate symbol. An interpretation 

I G 1Z TF is monotone (resp. anti-monotone) in its i-th argument if I(t, S) < I(t, S') whenever S <j S' 
(resp. S >i S'). An interpretation I G 1Z TF is monotone if it is monotone in every % G Mon + (F) and 
anti-monotone in every i G Mon~(F). Let 72.™ be the set of monotone interpretations of 1Z TF . 

One can easily check that 72™ is a complete lattice too. For proving that interpretations for predicate 
symbols are monotone, we need to prove Lemma 5.2 again, and to prove a similar lemma on candidate 
assignments. 

Lemma 9.1. If / </ I', Pos(/, t) C Pos 5 (t), T h t : T and £ |= T then [t][ < 5 [t]£ 9 . 
Proof: 

We only have to check the case t = gt. Let R = and i?' = [yi]^,. i? = I g (t9, S) with 5 = . 

# = 5') with 5' = Let i < n = \t\. If Pos(/, U) = then S t = S[. Otherwise, there is 
€i such that i G Mon £l (/) and Pos(/,^) C Pos e ' 5 (ti). Thus, by induction hypothesis, Si < e * s S[. Let 
S{ = Si if i > j, and S? = S^ otherwise. S° = S, S n = S' and, for all j < n, S^ 1 <f SK Since 

I g is monotone, for all j < n, I g (te,S j ~ l ) <$ s I g (t9,S j ), that is, I g (t6,S j ' 1 ) < 5 I g (t6,S j ) since 
e) = +. Thus, R = I g (S) < 5 I g (S'). Now, if g ^ f then I g = I' g and R < 5 R'. If g = f then 5 = + 
and 7? < 7?' since I f < I' f . □ 

Lemma 9.2. Let £ < z £' iff x£ < x£' and, for all y / x, y£ = If 7 is monotone, £ < x 
x G Pos 5 (t), r h t : T and £, O T then < 5 [t]^. 

Proof: 

By induction on t. The proof is very similar to the previous lemma. We only detail the following two 

cases: 

• I x l| e = x ^ — = l x % e an d ^ = + necessarily. 
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• Let R = \gt\y and R' = \gi\\, fi . R = I g (tO, S) with S = R' = I g (t6, S') with S' = [i]^. 

Let i < n = \t\. If Pos(/,^) = then Si = S 1 -. Otherwise, there is e» such that i G Mon £i (/) 
and Pos(/,ti) C Pos £i<5 (ij). Thus, by induction hypothesis, Sj < e * 5 S^. Let Sf = Si if i > j, and 
5f = S'i otherwise. S° = S, S n = S' and, for all j < n, S j ~ l < e f S j . Since I g is monotone, 
for all j < n, I g {t9,S j - 1 ) <^ 5 I g (t9,S j ), that is, I g (t6,S^ 1 ) < 5 I g (t6,S j ) since e) = +. Thus, 
R < 5 R'. 

□ 

Lemma 9.3. The interpretations for predicate symbols are monotone. 
Proof: 

We first prove it for constant predicate symbols. Assuming that / is monotone, we must prove that (pQ 
is monotone. Let i G Mon 5 (C) and S <f S'. We must prove that R = ^{t, S) C R' = tp^tf, S'). If 
some ti has no normal form then R = R' = SAf. Assume now that every ti has a normal form t*. Let 

teR,fe Kec(C) of type (z : V)(z : Cz)(y : U)V, y£ and yO such that £§',9% \=iy:U. We must 
prove that ft*ty9 G {V} 1 §l u . To this end, it is sufficient to prove that {Uj 1 s , t - t C {U} 1 § ft and that 

^Z ' Z z ^Z ' Z z ^*Z ' Z z 

{V} 1 g - C [V]^, t - , which is the case by Lemma 9.2 since Pos(zj, W) C Pos + (W / ) by assumption. 

We now prove that the interpretation for defined predicate symbols is monotone. Let F be a defined 
predicate symbol. Let i G Mon 5 (F) and S <f S'. We must prove that R = I F (t, S) C R f = I F {t, S'). 
Assume that every ti has a normal form t* and that t* = la for some rule Fl — > r G 1Z. If this is not the 
case then R = R' = SAf. So, R = [r][ ff with x£ = S Kx , and R' = [r]|, |ff with x? = S' Kx . If, for all 
x G FV D (r), ^ ^ i, then £ = £' and i? = i?'. Otherwise, i = k x for some x, and £ <^ By Lemma 
9.2, R C 5 J?' since Pos(x, r) C Pos 5 (r) by assumption. Thus, R C R' since <5 2 = +. □ 

10. Conclusion 

By using an elimination-based interpretation for some inductive types, we proved that the Calculus of 
Algebraic Constructions subsumes the Calculus of Inductive Constructions almost completely. We de- 
fine general conditions on recursors for preserving strong normalization and show that these conditions 
are satisfied by a large class of recursors for strictly positive types and by some non-strictly positive types 
too. Finally, we give general positivity conditions for dealing with inductive-recursive types. 
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